Junos OS

last person joined: 5 days ago 

Ask questions and share experiences about Junos OS.

  • 1.  Problem with configuring IPSec VPN

    Posted 08-25-2009 14:44
      |   view attached

    Hi

     

    I have 3 J Series routers. R1 router is J2350 and R2 and R3 routers are J6350. You may download the topology from the link http://www.4shared.com/file/127527992/c3db9620/Drawing1.html. I have configured OSPF and the full network is conversed. 

    For configuring IPSec VPN i inserted the following commands

     

    R1 [J2350] configuration

    CLI commands on R1 J2350 for the Zones.

    # set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic system-services all

    # set security zones security-zone trust interfaces ge-0/0/1.0 host-inbound-traffic protocols all

    # set security zones security-zone untrust interfaces ge-0/0/2.0 host-inbound-traffic system-services all

    # set security zones security-zone untrust interfaces ge-0/0/2.0 host-inbound-traffic protocols all

     

    # set security policies from-zone trust to-zone untrust policy allow-out match source-address any

    # set security policies from-zone trust to-zone untrust policy allow-out match destination-address any

    # set security policies from-zone trust to-zone untrust policy allow-out match application any

    # set security policies from-zone trust to-zone untrust policy allow-out then permit

    # set security policies from-zone untrust to-zone trust policy allow-in match source-address any

    # set security policies from-zone untrust to-zone trust policy allow-in match destination-address any

    # set security policies from-zone untrust to-zone trust policy allow-in match application any

    # set security policies from-zone untrust to-zone trust policy allow-in then permit

     

     

    # set interfaces st0 unit 0 family inet

     

    # set security zones security-zone vpn interfaces st0.0 host-inbound-traffic system-services all

    # set security zones security-zone vpn interfaces st0.0 host-inbound-traffic protocols all

     

    # set security ike policy ike-policy mode main

    # set security ike policy ike-policy proposal-set standard

    # set security ike policy ike-policy pre-shared-key ascii-text juniper123

    # set security ike gateway ike-gate ike-policy ike-policy

    # set security ike gateway ike-gate address 172.18.10.3

    # set security ike gateway ike-gate external-interface ge-1/0/0.0

     

    # set security ipsec policy ipsec-policy proposal-set standard

    # set security ipsec vpn vpn-1 bind-interface st0.0

    # set security ipsec vpn vpn-1 ike gateway ike-gate

    # set security ipsec vpn vpn-1 ike ipsec-policy ipsec-policy

     

    # set security zones security-zone trust address-book address LAN-1 172.17.201.0/24

    # set security zones security-zone vpn address-book address LAN-2 172.25.0.0/24

    # set security policies from-zone trust to-zone vpn policy vpn-out match source-address LAN-1

    # set security policies from-zone trust to-zone vpn policy vpn-out match destination-address LAN-2

    # set security policies from-zone trust to-zone vpn policy vpn-out match application any

    # set security policies from-zone trust to-zone vpn policy vpn-out then permit

    # set security policies from-zone vpn to-zone trust policy vpn-in match source-address LAN-2

    # set security policies from-zone vpn to-zone trust policy vpn-in match destination-address LAN-1

    # set security policies from-zone vpn to-zone trust policy vpn-in match application any

    # set security policies from-zone vpn to-zone trust policy vpn-in then permit

     

    # set routing-options static route 172.25.0.0/24 next-hop st0.0

     

     

    Configure of  R3[J6350]

    # set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic system-services all

    # set security zones security-zone trust interfaces ge-0/0/2.0 host-inbound-traffic protocols all

    # set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic system-services all

    # set security zones security-zone untrust interfaces ge-0/0/1.0 host-inbound-traffic protocols all

     

    # set security policies from-zone trust to-zone untrust policy allow-out match source-address any

    # set security policies from-zone trust to-zone untrust policy allow-out match destination-address any

    # set security policies from-zone trust to-zone untrust policy allow-out match application any

    # set security policies from-zone trust to-zone untrust policy allow-out then permit

    # set security policies from-zone untrust to-zone trust policy allow-in match source-address any

    # set security policies from-zone untrust to-zone trust policy allow-in match destination-address any

    # set security policies from-zone untrust to-zone trust policy allow-in match application any

    # set security policies from-zone untrust to-zone trust policy allow-in then permit

     

     

    # set interfaces st0 unit 0 family inet

     

    # set security zones security-zone vpn interfaces st0.0 host-inbound-traffic system-services all

    # set security zones security-zone vpn interfaces st0.0 host-inbound-traffic protocols all

     

    # set security ike policy ike-policy mode main

    # set security ike policy ike-policy proposal-set standard

    # set security ike policy ike-policy pre-shared-key ascii-text juniper123

    # set security ike gateway ike-gate ike-policy ike-policy

    # set security ike gateway ike-gate address 172.17.200.2

    # set security ike gateway ike-gate external-interface ge-0/0/1.0

     

    # set security ipsec policy ipsec-policy proposal-set standard

    # set security ipsec vpn vpn-1 bind-interface st0.0

    # set security ipsec vpn vpn-1 ike gateway ike-gate

    # set security ipsec vpn vpn-1 ike ipsec-policy ipsec-policy

     

    # set security zones security-zone trust address-book address LAN-1 172.25.0.0/24

    # set security zones security-zone vpn address-book address LAN-2 172.17.201.0/24

    # set security policies from-zone trust to-zone vpn policy vpn-out match source-address LAN-1

    # set security policies from-zone trust to-zone vpn policy vpn-out match destination-address LAN-2

    # set security policies from-zone trust to-zone vpn policy vpn-out match application any

    # set security policies from-zone trust to-zone vpn policy vpn-out then permit

    # set security policies from-zone vpn to-zone trust policy vpn-in match source-address LAN-2

    # set security policies from-zone vpn to-zone trust policy vpn-in match destination-address LAN-1

    # set security policies from-zone vpn to-zone trust policy vpn-in match application any

    # set security policies from-zone vpn to-zone trust policy vpn-in then permit

     

    # set routing-options static route 172.17.201.0/24 next-hop st0.0

     

     

    After that to check whether the tunnel is working or not i gave the following command

    # run show security ike security-associates

    no result is diplayed:smileysad:

     

    Any idea ?? 



  • 2.  RE: Problem with configuring IPSec VPN
    Best Answer

    Posted 08-26-2009 00:19

    Hi,

     

    try to add following statements to your VPN configuration:

     

    set security ipsec vpn vpn-1 establish-tunnels immediately

     

    Kind Regards

    Michael Pergament



  • 3.  RE: Problem with configuring IPSec VPN

    Posted 09-06-2009 00:10

    R1 has IKE external interface as ge-1/0/0. It looks like you should be using ge-0/0/2. Can you confirm which interface is correct?

     

    -Richard



  • 4.  RE: Problem with configuring IPSec VPN

    Posted 09-06-2009 00:33
    external interface for IKE of R1 is Ge-1/0/0 according to the diagram. In the diagram there is not connection to ge-0/0/2. so no reason to use this interface. I hope that answer your question. thank you